chore(feat/slsa)[SEC-1085]: add publish pipeline [INS-3792] (#347)

* chore: add publish pipeline [INS-3792] * refactor build and publish pipeline to add provenance and sbom scan --------- Co-authored-by: saisatishkarra <[email protected]>
Kong · May 16, 2024 · 2e8c285 · 2e8c285
1 parent 7efd8e0
commit 2e8c285
Show file tree

Hide file tree

Showing 2 changed files with 94 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,16 +1,38 @@
-name: Build
+name: Build and Publish Httpsnippet
 
 on:
   push:
     branches:
       - master
+    tags:
+      - '*' # Restrict any specific tag formats
   pull_request:
     types:
       - opened
       - synchronize
   workflow_dispatch:
 
 jobs:
+  scan:
+    permissions:
+      packages: write 
+      contents: write # publish sbom to GH releases/tag assets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v3
+        with:
+          path: ${{ github.repository }}
+
+      # Perform SCA analysis for the code repository
+      # Produces SBOM and CVE report
+      # Helps understand vulnerabilities / license compliance across third party dependencies
+      - id: sca-project
+        uses: Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
+        with:
+          dir: ${{ github.repository }}
+          upload-sbom-release-assets: true
+
   build:
     runs-on: ubuntu-latest
     strategy:
@@ -37,3 +59,31 @@ jobs:
 
       - name: Build
         run: npm run build
+
+  publish:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref_type == 'tag' && github.repository_owner == 'Kong' }}
+    steps:
+      # checkout tag
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.9.0
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish to NPM
+        run: npm publish --no-git-checks --provenance --tag ${{ github.sha }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,43 @@
+name: Release httpsnippet
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Tag version to release'
+        required: true
+
+env:
+  # Release Tag to build and publish
+  TAG: ${{ github.event.inputs.version }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git user
+        uses: Homebrew/actions/git-user-config@master
+        with:
+          username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}
+
+      - name: Tag the Repository
+        run: |
+          git tag ${{ env.TAG }}
+          git push origin ${{ env.TAG }}
+        
+      - name: Create Tag and Release
+        uses: ncipollo/release-action@v1
+        id: core_tag_and_release
+        with:
+          tag: ${{ env.TAG }}
+          name: "httpsnippet ${{ env.TAG }} 📦"
+          generateReleaseNotes: true
+          prerelease: false
+          draft: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}